<ossec_config>
  <global>
    <jsonout_output>{{ ossec_manager_config.jsonout_output }}</jsonout_output>
    <alerts_log>{{ ossec_manager_config.alerts_log }}</alerts_log>
    <logall>{{ ossec_manager_config.logall }}</logall>
    <logall_json>{{ ossec_manager_config.logall_json }}</logall_json>
    <max_output_size>{{ ossec_manager_config.max_output_size }}</max_output_size>
    <email_notification>{{ ossec_mail_arg.email_notification }}</email_notification>
{% for to in ossec_mail_arg.email_to %}
    <email_to>{{ to }}</email_to>
{% endfor %}
    <smtp_server>{{ ossec_mail_arg.smtp_server }}</smtp_server>
    <email_from>{{ ossec_mail_arg.email_from }}</email_from>
    <email_maxperhour>{{ ossec_mail_arg.email_maxperhour }}</email_maxperhour>
    <email_log_source>{{ ossec_mail_arg.email_log }}</email_log_source>
{% for ip_list in ossec_manager_config.white_list %}
    <white_list>{{ ip_list }}</white_list>
{% endfor %}
  </global>

  <alerts>
    <log_alert_level>{{ ossec_manager_config.log_alert_level }}</log_alert_level>
    <email_alert_level>{{ ossec_mail_arg.email_alert_level }}</email_alert_level>
  </alerts>

  <logging>
    <log_format>{{ ossec_manager_config.log_format }}</log_format>
  </logging>

{% for remote in ossec_manager_config.remote %}
  <remote>
    <connection>{{ remote.type | default('secure') }}</connection>
    <port>{{ remote.port | default('1514') }}</port>
    <protocol>{{ remote.protocol | default('udp') }}</protocol>
    <local_ip>{{ ansible_default_ipv4.address }}</local_ip>
    <ipv6>{{ remote.ipv6 | default('no') }}</ipv6>
{% if remote.allowed_ips is defined %}
{% for allowed_ip in remote.allowed_ips %}
    <allowed-ips>{{ allowed_ip }}</allowed-ips>
{% endfor %}
{% endif %}
{% if remote.denied_ips is defined %}
{% for denied_ip in remote.denied_ips %}
    <denied-ips>{{ denied_ip }}</denied-ips>
{% endfor %}
{% endif %}
  </remote>
{% endfor %}

{% if ossec_manager_config.reports is defined %}
{% for report in ossec_manager_config.reports %}
{% if report.enable %}
  <reports>
    <category>{{ report.category }}</category>
    <title>{{ report.title }}</title>
{% for to in report.email_to %}
    <email_to>{{ to }}</email_to>
{% endfor %}
    <showlogs>yes</showlogs>
{% if report.location is defined %}    <location>{{ report.location }}</location>{% endif %}
{% if report.group is defined %}    <group>{{ report.group }}</group>{% endif %}
{% if report.rule is defined %}    <rule>{{ report.rule }}</rule>{% endif %}
{% if report.level is defined %}    <level>{{ report.level }}</level>{% endif %}
{% if report.srcip is defined %}    <srcip>{{ report.srcip }}</srcip>{% endif %}
{% if report.user is defined %}    <user>{{ report.user }}</user>{% endif %}
  </reports>
{% endif %}
{% endfor %}
{% endif %}

{% if ossec_virustotal_apikey is defined %}
  <integration>
    <name>virustotal</name>
    <api_key>{{ ossec_virustotal_apikey }}</api_key>
    <group>syscheck</group>
    <alert_format>json</alert_format>
  </integration>
{% endif %}

  <rootcheck>
    <disabled>{{ ossec_manager_config.rootcheck.disable }}</disabled>
    <scanall>{{ ossec_manager_config.rootcheck.scanall }}</scanall>
    <check_files>{{ ossec_manager_config.rootcheck.check_files }}</check_files>
    <check_trojans>{{ ossec_manager_config.rootcheck.check_trojans }}</check_trojans>
    <check_dev>{{ ossec_manager_config.rootcheck.check_dev }}</check_dev>
    <check_sys>{{ ossec_manager_config.rootcheck.check_sys }}</check_sys>
    <check_pids>{{ ossec_manager_config.rootcheck.check_pids }}</check_pids>
    <check_ports>{{ ossec_manager_config.rootcheck.check_ports }}</check_ports>
    <check_if>{{ ossec_manager_config.rootcheck.check_if }}</check_if>
    <frequency>{{ ossec_manager_config.rootcheck.frequency }}</frequency>
    <system_audit>/var/ossec/etc/shared/default/system_audit_rcl.txt</system_audit>
    <rootkit_files>/var/ossec/etc/shared/default/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/default/rootkit_trojans.txt</rootkit_trojans>
    <skip_nfs>{{ ossec_manager_config.rootcheck.skip_nfs }}</skip_nfs>
  </rootcheck>

  <wodle name="open-scap">
    <disabled>{{ ossec_manager_config.openscap.disable }}</disabled>
    <timeout>{{ ossec_manager_config.openscap.timeout }}</timeout>
    <interval>{{ ossec_manager_config.openscap.interval }}</interval>
    <scan-on-start>{{ ossec_manager_config.openscap.scan_on_start }}</scan-on-start>
    <content type="xccdf" path="/usr/share/xml/scap/ssg/content/ssg-{% if ansible_distribution == 'CentOS' %}centos{% elif ansible_distribution == 'RedHat' %}rhel{% endif %}{{ ansible_distribution_major_version }}-ds.xml">
      <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
    </content>
  </wodle>

  <wodle name="osquery">
    <disabled>{{ ossec_manager_config.osquery.disable }}</disabled>
    <run_daemon>{{ ossec_manager_config.osquery.run_daemon }}</run_daemon>
    <log_path>{{ ossec_manager_config.osquery.log_path }}</log_path>
    <config_path>{{ ossec_manager_config.osquery.config_path }}</config_path>
    <add_labels>{{ ossec_manager_config.osquery.ad_labels }}</add_labels>
  </wodle>

  <wodle name="syscollector">
    <disabled>{{ ossec_manager_config.syscollector.disable }}</disabled>
    <interval>{{ ossec_manager_config.syscollector.interval }}</interval>
    <scan_on_start>{{ ossec_manager_config.syscollector.scan_on_start }}</scan_on_start>
    <hardware>{{ ossec_manager_config.syscollector.hardware }}</hardware>
    <os>{{ ossec_manager_config.syscollector.os }}</os>
    <network>{{ ossec_manager_config.syscollector.network }}</network>
    <packages>{{ ossec_manager_config.syscollector.packages }}</packages>
    <ports all="no">{{ ossec_manager_config.syscollector.ports_no }}</ports>
    <processes>{{ ossec_manager_config.syscollector.processes }}</processes>
  </wodle>

  <vulnerability-detector>
    <enabled>{{ ossec_manager_config.vul_detector.enabled }}</enabled>
    <interval>{{ ossec_manager_config.vul_detector.interval }}</interval>
    <ignore_time>{{ ossec_manager_config.vul_detector.ignore_time }}</ignore_time>
    <run_on_start>{{ ossec_manager_config.vul_detector.run_on_start }}</run_on_start>
{% for key in ossec_manager_config.vul_detector.provider %}
    <provider name="{{ key }}">
      <enabled>yes</enabled>
{% if key == 'redhat' %}
      <os path="/var/ossec/var/feed/com.redhat.rhsa-RHEL5.xml.bz2">5</os>
      <os path="/var/ossec/var/feed/rhel-6-including-unpatched.oval.xml.bz2">6</os>
      <os path="/var/ossec/var/feed/rhel-7-including-unpatched.oval.xml.bz2">7</os>
      <os path="/var/ossec/var/feed/rhel-8-including-unpatched.oval.xml.bz2">8</os>
      <path>/var/ossec/var/feed/redhat-feed.*json$</path>
{% elif key == 'debian' %}
      <os path="/var/ossec/var/feed/oval-definitions-buster.xml">buster</os>
      <os path="/var/ossec/var/feed/oval-definitions-stretch.xml">stretch</os>
{% elif key == 'canonical' %}
      <os path="/var/ossec/var/feed/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
      <os path="/var/ossec/var/feed/com.ubuntu.bionic.cve.oval.xml.bz2">bionic</os>
      <os path="/var/ossec/var/feed/com.ubuntu.xenial.cve.oval.xml.bz2">xenial</os>
      <os path="/var/ossec/var/feed/com.ubuntu.trusty.cve.oval.xml.bz2">trusty</os>
{% else %}
{% endif %}
      <update_interval>{{ ossec_manager_config.vul_detector.update_interval }}</update_interval>
    </provider>
{% endfor %}
  </vulnerability-detector>

  <syscheck>
    <disabled>{{ ossec_manager_config.syscheck.disable }}</disabled>
    <auto_ignore>{{ ossec_manager_config.syscheck.auto_ignore }}</auto_ignore>
    <alert_new_files>{{ ossec_manager_config.syscheck.alert_new_files }}</alert_new_files>
    <frequency>{{ ossec_manager_config.syscheck.frequency }}</frequency>
    <scan_on_start>{{ ossec_manager_config.syscheck.scan_on_start }}</scan_on_start>
{% if ossec_manager_config.syscheck.auto_ignore_frequency is defined %}
    <auto_ignore {{ ossec_manager_config.syscheck.auto_ignore_frequency.frequency }} {{ ossec_manager_config.syscheck.auto_ignore_frequency.timeframe }}>{{ ossec_manager_config.syscheck.auto_ignore_frequency.value }}</auto_ignore>
{% endif %}
{% if ossec_manager_config.syscheck.directories is defined %}
{% for directory in ossec_manager_config.syscheck.directories %}
    <directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% endif %}
{% if ossec_manager_config.syscheck.ignore is defined %}
{% for ignore in ossec_manager_config.syscheck.ignore %}
    <ignore>{{ ignore }}</ignore>
{% endfor %}
{% endif %}
{% for no_diff in ossec_manager_config.syscheck.no_diff %}
    <nodiff>{{ no_diff }}</nodiff>
{% endfor %}
{% if ossec_manager_config.syscheck.skip_nfs is defined %}
    <skip_nfs>{{ ossec_manager_config.syscheck.skip_nfs }}</skip_nfs>
{% endif %}
{% if ossec_manager_config.syscheck.remove_old_diff is defined %}
    <remove_old_diff>{{ ossec_manager_config.syscheck.remove_old_diff }}</remove_old_diff>
{% endif %}
{% if ossec_manager_config.syscheck.restart_audit is defined %}
    <restart_audit>{{ ossec_manager_config.syscheck.restart_audit }}</restart_audit>
{% endif %}
  </syscheck>

{% for command in ossec_manager_config.commands %}
  <command>
    <name>{{ command.name }}</name>
    <executable>{{ command.executable }}</executable>
    <expect>{{ command.expect }}</expect>
    <timeout_allowed>{{ command.timeout_allowed }}</timeout_allowed>
  </command>
{% endfor %}

  <ruleset>
    <decoder_dir>ruleset/decoders</decoder_dir>
    <rule_dir>ruleset/rules</rule_dir>
{% if ossec_manager_config.rule_exclude is defined %}
{% for rule in ossec_manager_config.rule_exclude %}
    <rule_exclude>{{ rule }}</rule_exclude>
{% endfor %}
{% endif %}
{% if cdb_lists is defined %}
{% for list in cdb_lists %}
    <list>etc/lists/{{ list.name }}</list>
{% endfor %}
{% endif %}
    <decoder_dir>etc/decoders</decoder_dir>
    <rule_dir>etc/rules</rule_dir>
  </ruleset>

  <auth>
    <disabled>{{ ossec_manager_config.authd.disable }}</disabled>
    <port>{{ ossec_port_arg.register | default('1515') }}</port>
{% if ossec_manager_config.authd.use_source_ip is not none %}
    <use_source_ip>{{ ossec_manager_config.authd.use_source_ip}}</use_source_ip>
{% endif %}
{% if ossec_manager_config.authd.force_insert is not none %}
    <force_insert>{{ ossec_manager_config.authd.force_insert}}</force_insert>
{% endif %}
{% if ossec_manager_config.authd.force_time is not none %}
    <force_time>{{ ossec_manager_config.authd.force_time}}</force_time>
{% endif %}
{% if ossec_manager_config.authd.purge is not none %}
    <purge>{{ ossec_manager_config.authd.purge}}</purge>
{% endif %}
{% if ossec_manager_config.authd.use_password is not none %}
    <use_password>{{ ossec_manager_config.authd.use_password}}</use_password>
{% endif %}
{% if ossec_manager_config.authd.ssl_agent_ca is not none %}
    <ssl_agent_ca>/var/ossec/etc/{{ ossec_manager_config.authd.ssl_agent_ca | basename}}</ssl_agent_ca>
{% endif %}
{% if ossec_manager_config.authd.ssl_verify_host is not none %}
    <ssl_verify_host>{{ ossec_manager_config.authd.ssl_verify_host}}</ssl_verify_host>
{% endif %}
{% if ossec_manager_config.authd.ssl_manager_cert is not none %}
    <ssl_manager_cert>/var/ossec/etc/{{ ossec_manager_config.authd.ssl_manager_cert | basename}}</ssl_manager_cert>
{% endif %}
{% if ossec_manager_config.authd.ssl_manager_key is not none %}
    <ssl_manager_key>/var/ossec/etc/{{ ossec_manager_config.authd.ssl_manager_key | basename}}</ssl_manager_key>
{% endif %}
{% if ossec_manager_config.authd.ssl_auto_negotiate is not none %}
    <ssl_auto_negotiate>{{ ossec_manager_config.authd.ssl_auto_negotiate}}</ssl_auto_negotiate>
{% endif %}
  </auth>

  <cluster>
    <disabled>{% if ossec_servers | length > 1 %}no{% else %}yes{% endif %}</disabled>
    <name>{{ ossec_cluster | upper | default('OSSEC') }}</name>
    <node_name>{{ ansible_hostname }}</node_name>
    <node_type>{% if ossec_servers[0] in ansible_default_ipv4.address %}master{% else %}worker{% endif %}</node_type>
    <key>{{ lookup('password', '' + group_names[0] + ':cluster:communication:key length=32 chars=ascii_letters,digits') }}</key>
    <port>{{ ossec_port_arg.cluster | default('1516') }}</port>
    <bind_addr>{{ ansible_default_ipv4.address }}</bind_addr>
    <nodes>
      <node>{{ ossec_servers[0] }}</node>
    </nodes>
    <hidden>{{ ossec_cluster_arg.hidden }}</hidden>
  </cluster>

{% if ossec_agentless_creds is defined %}
{% for agentless in ossec_agentless_creds %}
  <agentless>
    <type>{{ agentless.type }}</type>
    <frequency>{{ agentless.frequency }}</frequency>
    <host>{{ agentless.host }}</host>
    <state>{{ agentless.state }}</state>
{% if agentless.arguments is defined %}
      <arguments>{{ agentless.arguments }}</arguments>
{% endif %}
  </agentless>
{% endfor %}
{% endif %}

{% if ossec_manager_config.active_responses is defined %}
  {% for response in ossec_manager_config.active_responses %}
    <active-response>
      <disabled>{% if response.disabled is defined %}{{ response.disabled }}{% else %}no{% endif %}</disabled>
{%if response.command is defined %}      <command>{{ response.command }}</command>{% endif %}
{%if response.location is defined %}      <location>{{ response.location }}</location>{% endif %}
{%if response.agent_id is defined %}      <agent_id>{{ response.agent_id }}</agent_id>{% endif %}
{%if response.level is defined %}      <level>{{ response.level }}</level>{% endif %}
{%if response.rules_group is defined %}      <rules_group>{{ response.rules_group }}</rules_group>{% endif %}
{%if response.rules_id is defined %}      <rules_id>{{ response.rules_id }}</rules_id>{% endif %}
{%if response.timeout is defined %}      <timeout>{{ response.timeout }}</timeout>{% endif %}
{%if response.repeated_offenders is defined %}      <repeated_offenders>{{ response.repeated_offenders }}</repeated_offenders>{% endif %}
    </active-response>
{% endfor %}
{% endif %}

{% for localfile in ossec_manager_config.localfiles.common %}
  <localfile>
     <log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
     <command>{{ localfile.command }}</command>
{% if localfile.alias is defined %}
     <alias>{{ localfile.alias }}</alias>
{% endif %}
{% if localfile.frequency is defined %}
     <frequency>{{ localfile.frequency }}</frequency>
{% endif %}
{% else %}
     <location>{{ localfile.location }}</location>
{% if localfile.format == 'eventchannel' %}
{% if localfile.only_future_events is defined %}
     <only-future-events>{{ localfile.only_future_events }}</only_future_events>
{% endif %}
{% if localfile.query is defined %}
     <query>{{ localfile.query }}</query>
{% endif %}
{% endif %}
{% endif %}
{% if localfile.format == 'json' and localfile.labels is defined %}
{% for key, value in localfile.labels.iteritems() %}
     <label key="{{ key }}">{{ value }}</label>
{% endfor %}
{% endif %}
{% if localfile.target is defined %}
     <target>{{ localfile.target }}</target>
{% endif %}
{% if localfile.out_format is defined %}
     <out_format>{{ localfile.out_format }}</out_format>
{% endif %}
  </localfile>
{% endfor %}

{% if ansible_os_family == "Debian" %}
{% for localfile in ossec_manager_config.localfiles.debian %}
  <localfile>
     <log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
     <command>{{ localfile.command }}</command>
{% if localfile.alias is defined %}
     <alias>{{ localfile.alias }}</alias>
{% endif %}
{% if localfile.frequency is defined %}
     <frequency>{{ localfile.frequency }}</frequency>
{% endif %}
{% else %}
     <location>{{ localfile.location }}</location>
{% if localfile.format == 'eventchannel' %}
{% if localfile.only_future_events is defined %}
     <only-future-events>{{ localfile.only_future_events }}</only_future_events>
{% endif %}
{% if localfile.query is defined %}
     <query>{{ localfile.query }}</query>
{% endif %}
{% endif %}
{% endif %}
{% if localfile.format == 'json' and localfile.labels is defined %}
{% for key, value in localfile.labels.iteritems() %}
     <label key="{{ key }}">{{ value }}</label>
{% endfor %}
{% endif %}
{% if localfile.target is defined %}
     <target>{{ localfile.target }}</target>
{% endif %}
{% if localfile.out_format is defined %}
     <out_format>{{ localfile.out_format }}</out_format>
{% endif %}
  </localfile>
{% endfor %}
{% endif %}
{% if ansible_os_family == "RedHat" %}  
{% for localfile in ossec_manager_config.localfiles.centos %}
  <localfile>
     <log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
     <command>{{ localfile.command }}</command>
{% if localfile.alias is defined %}
     <alias>{{ localfile.alias }}</alias>
{% endif %}
{% if localfile.frequency is defined %}
     <frequency>{{ localfile.frequency }}</frequency>
{% endif %}
{% else %}
     <location>{{ localfile.location }}</location>
{% if localfile.format == 'eventchannel' %}
{% if localfile.only_future_events is defined %}
     <only-future-events>{{ localfile.only_future_events }}</only_future_events>
{% endif %}
{% if localfile.query is defined %}
     <query>{{ localfile.query }}</query>
{% endif %}
{% endif %}
{% endif %}
{% if localfile.format == 'json' and localfile.labels is defined %}
{% for key, value in localfile.labels.iteritems() %}
     <label key="{{ key }}">{{ value }}</label>
{% endfor %}
{% endif %}
{% if localfile.target is defined %}
     <target>{{ localfile.target }}</target>
{% endif %}
{% if localfile.out_format is defined %}
     <out_format>{{ localfile.out_format }}</out_format>
{% endif %}
  </localfile>
{% endfor %}
{% endif %}

{% if ossec_manager_config.syslog_outputs is defined %}
{% for syslog_output in ossec_manager_config.syslog_outputs %}
{% if syslog_output.server is not none  %}
  <syslog_output>
    <server>{{ syslog_output.server }}</server>
    <port>{{ syslog_output.port }}</port>
    <format>{{ syslog_output.format }}</format>
  </syslog_output>
{% endif %}
{% endfor %}
{% endif %}

  <labels>
    <label key="project">{{ group_names[-1] | title }}</label>
    <label key="group">{{ group_names[0] | title }}</label>
    <label key="environment">{{ environments | default('prd') | lower }}</label>
    <label key="datacenter">{{ datacenter | default('dc01') | lower }}</label>
    <label key="domain">{{ domain | default('local') | lower }}</label>
    <label key="customer">{{ customer | default('demo') | title }}</label>
{% if tags is defined %}
{% for key,value in tags.iteritems() %}
    <label key="{{ key }}">{{ value }}</label>
{% endfor %}
{% endif %}
  </labels>

</ossec_config>
